Iran embroiled in internet security breach

Fake security certificates may have been used to spy on people in the Islamic Republic

Trend Micro analysis showed that a large proportion of compomised DigiNotar security certificates were being sent to Iran.

New evidence has come to light that suggests stolen web security certificates may have been used to spy on people in Iran, according to the BBC.

Trend Micro's analysis of compromised DigiNotar certificates showed a spike in the number of these certificates being issued to Iran.

The company believes that the digital IDs were used to trick computers into thinking they were accessing sites such as Google directly, but in reality someone may have been monitoring the communications.

DigiNotar, owned by US-based Vasco Data Security and based in the Netherlands was hacked earlier this year and hundreds of certificates are thought to have been compromised. Hundreds of bogus certificates are thought to have been generated following the attack on DigiNotar.

Authentication certificates are supposed to guarantee that the sites visited by a user are what they appear to be and give the user secure access to sites, as well as preventing monitoring of a user by a third party.

Secure access usually takes the form of a TLS or SSL connection and a padlock appears before the https prefix in a browser bar when the site is secure.

If a third-party stole certificate details or generated their own security certificates, web browsers would be unlikely to be able to detect the difference.

On 19th July, DigiNotar discovered a breach of its systems and immediately revoked a number of fake security certificates, however, it has emerged that some were missed, or more were generated after the first attack.

According to the BBC, unconfirmed information suggests that approximately 500 fake security certificates exist.

It was noticed by Trend Micro that a large portion of the Dutch company's certificates were going to users in Iran.

In August 2011, 76.5% of DigiNotar security certificates were in the Netherlands, with 18.7% in Iran and 4.8% in the rest of the globe, according to Trend Micro.

Iranian activity dropped off after the certificates were revoked.

DigiNotar publically revealed the breach of its systems on 30th August, but by this time, many web browsers has stopped recognising DigiNotar certificates.

According to Rik Ferguson, Trend Micro's director of security research and communications, Iran's internet setup also makes some types of interception easier.

"All the internet traffic has to go through an Iranian government proxy before it goes out to the final destination. If you want to spy on normal HTTP traffic, that is not a problem - you get to see all the outbound requests and all the inbound responses," he told the BBC.

For secure websites, attempts to intercept traffic would raise the alarm with the web browser and the user.

According to the BBC, if cyber-criminals made the Iranian national proxy server look like it was the target website - using a fake DigiNotar certificate, the proxy would then relay information to and from the real website, but there would be no indication that the secure chain has been broken.

A Dutch Interior Ministry spokesman said that the cabinet is looking into claims of Iranian government involvement in the security breach.

Iran has previously been on the receiving end of malicious web attacks, including the well-planned Stuxnet virus which was designed to take control of machinery in the country's uranium enrichment facility